Some officials have expressed interest in regulating trades of software exploits, but others say it would be a futile effort.
When thousands of Iran's centrifuges were remotely disabled, it set the nuclear facility back an estimated 18 months. The failures, which were discovered in 2010, were caused by a computer worm called Stuxnet, which was developed by U.S. and Israeli intelligence agencies taking advantage of security holes in Iran's computer networks. Stuxnet was effective because it used several “zero-day exploits,” security vulnerabilities unknown to the victim of the attack.
Zero-day exploits sell for thousands of dollars in the intelligence community and their power has caught the attention of some officials who want to regulate the exchange of such information, reported The Washington Post. Many software developers offer cash prizes to those who can reveal serious security flaws in their software, while other software makers have been less appreciative, even going so far as to sue the person revealing the flaw.
“It’s like trying to regulate guns,” said Richard Schaeffer Jr., a former senior cybersecurity official at the National Security Agency, reported the Post. “We’ve got so many gun laws on the books, and yet criminals still have guns. There will always be mean, wrong, illegitimate things that human beings do for a price. So instead of trying to regulate things away, we need to accept it’s a fact of life. And the question is, how do we coexist with it?”
To read in-depth about the world of zero-day exploits and those who wish to regulate them, visit the Washington Post.